[Samba] Online AD Backup fails with "no auth" in 4.20?
Matthias Kühne | Ellerhold Aktiengesellschaft
matthias.kuehne at ellerhold.de
Thu Jun 27 12:38:13 UTC 2024
Hey Luis,
on the member server:
# net ads testjoin
Join is OK
# wbinfo --ping-dc
checking the NETLOGON for domain[AD-ELLERHOLD] dc connection to
"rad-2.ad.ellerhold.lan" succeeded
SSH login to this member works, Access via SMB works... all good!
Our AD is healthy as far as I can tell... all services work as far as we
can tell.
The same command on a member server with 4.19 still works. Using another
domain member with 4.20 fails too. The tickets was created fresh today.
The package "samba-ad-dc" is installed on all DCs and was never
installed on the domain members.
Just for completeness: the upgrade to 4.20 was around 2 weeks ago and
this failing backup was pushed time and time again because we had other
(unrelated) bigger problems.
Regards, Matthias.
Am 27.06.24 um 14:24 schrieb Luis Peromarta:
>
> LP
> On Jun 27, 2024 at 13:13 +0100, Matthias Kühne | Ellerhold
> Aktiengesellschaft via samba <samba at lists.samba.org>, wrote:
>
> Hallo lovely samba-people,
>
> did something change in regards to the online AD Backup in 4.20?
>
> We're using this CLI command to create a backup of our domain:
>
> /usr/bin/samba-tool domain backup online --targetdir="/my/path"
> --server="rad-2.ad.ellerhold.lan"
> --use-krb5-ccache="/opt/samba-ad-backup/ad-backup.krb5cc" -N
>
> This ran successfully on a member server without a problem. klist
> shows
> a valid ticket:
>
> # klist -c /opt/samba-ad-backup/ad-backup.krb5cc
> Ticket cache: FILE:/opt/samba-ad-backup/ad-backup.krb5cc
> Default principal: ad-backup at AD.ELLERHOLD.LAN
>
> Valid starting Expires Service principal
> 27/06/24 11:28:22 27/06/24 21:28:22
> krbtgt/AD.ELLERHOLD.LAN at AD.ELLERHOLD.LAN
> renew until 28/06/24 11:28:22
>
>
> After upgrading to 4.20 this results in the error message:
> ERROR(<class
> 'samba.join.DCJoinException'>): uncaught exception - Can't join,
> error:
> 00002020: Operation unavailable without authentication
>
>
> This suggests bad or no Join.
> What is the output of
>
> net ads testjoin
>
> ?
>
>
> Even this doesnt work:
>
> /usr/bin/samba-tool domain backup online --targetdir="/my/path"
> --server="dc1.example.org" -U Administrator
>
> Same error message on a member server. Running this on a DC prompts me
> for the password correctly. Running this on a 4.19 member server
> correctly prompts me for the password too.
>
> I even copied an smb.conf from a DC and added
> --configfile=/path/to/dc-smb.conf . Same error...
>
> Can someone point me in the right directory to make this work
> again on a
> 4.20 member server?
>
> Environment: Samba 4.20.2 in Debian 12 (mjts Repository).
>
>
> Did this fail after updating to samba 4.20 ? Is your AD showing any
> other problems ?
> Do you have the package samba-ad-dc installed in the DCs ? It wasn’t
> needed before 4.20 (or 4.20.1, not sure), but it is now.
>
>
> Thanks for your help and have a nice day.
>
>
> You too.
>
> MfG.
--
Senior Webentwickler
Datenschutzbeauftragter
Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul
Telefon: +49 (0) 351 83933-61
Web:www.ellerhold.de
Facebook:www.facebook.com/ellerhold.gruppe
Instagram:www.instagram.com/ellerhold.gruppe
LinkedIn:www.linkedin.com/company/ellerhold-gruppe
Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold
---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.
Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/
This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.
You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
More information about the samba
mailing list